Permissions
caution
This is the SST v1.x Constructs doc. SST v2 is now released. If you are using v2, see the v2 Constructs doc. If you are looking to upgrade to v2, check out the upgrade steps.
SST makes it easy to select the level of access you want to grant while attaching permissions to your application.
The Permissions
type is used in:
- The various
attachPermissions
style functions. For example,attachPermissions
in theFunction
construct. - The
attachPermissionsForAuthUsers
andattachPermissionsForUnauthUsers
in theCognito
construct.
Examples
Let's look at the various ways to attach permissions. Starting with the most permissive option.
Take a simple function.
const fun = new Function(stack, "Function", { handler: "src/lambda.main" });
Giving full permissions
fun.attachPermissions("*");
This allows the function admin access to all resources.
Access to a list of services
fun.attachPermissions(["s3", "dynamodb"]);
Specify a list of AWS resource types that this function has complete access to. Takes a list of strings.
Access to a list of actions
fun.attachPermissions(["s3:PutObject", "dynamodb:PutItem"]);
Specify a list of AWS IAM actions that this function has complete access to. Takes a list of strings.
Access to a list of SST constructs
import { Topic, Table } from "@serverless-stack/resources";
const topic = new topic(stack, "Topic");
const table = new Table(stack, "Table");
fun.bind([topic, table]);
To give access to SST constructs, bind them to the function. Read more about Resource Binding.
Access to a list of CDK constructs
import * as sns from "aws-cdk-lib/aws-sns";
import * as dynamodb from "aws-cdk-lib/aws-dynamodb";
const topic = new sns.Topic(stack, "Topic");
const table = new dynamodb.Table(stack, "Table");
fun.attachPermissions([topic, table]);
Specify which CDK constructs you want to give complete access to. Check out the list of supported constructs.
Access to a list of specific permissions in a construct
import * as sns from "aws-cdk-lib/aws-sns";
import * as dynamodb from "aws-cdk-lib/aws-dynamodb";
const topic = new sns.Topic(stack, "Topic");
const table = new dynamodb.Table(stack, "Table");
fun.attachPermissions([
[topic, "grantPublish"],
[table, "grantReadData"],
]);
Specify which permission in the construct you want to give access to. Specified as a tuple of construct and a grant permission function.
CDK constructs have methods of the format grantX that allow you to grant specific permissions. So in the example above, the grant functions are: Topic.grantPublish
and Table.grantReadData
. The attachPermissions
method, takes the construct and calls the grant permission function specified.
Unlike the previous option, this supports all the CDK constructs.
List of IAM policies
import * as iam from "aws-cdk-lib/aws-iam";
fun.attachPermissions([
new iam.PolicyStatement({
actions: ["s3:*"],
effect: iam.Effect.ALLOW,
resources: [
bucket.bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*",
],
}),
new iam.PolicyStatement({
actions: ["execute-api:Invoke"],
effect: iam.Effect.ALLOW,
resources: [
`arn:aws:execute-api:${region}:${account}:${api.httpApiId}/*`,
],
}),
]);
The cdk.aws-iam.PolicyStatement
allows you to craft granular IAM policies that you can attach to the function.
Types
Below are the types and enums used to support permissions in SST.
Permissions
Type : "*" | Permission[]
Takes a *
or an array of Permission
.
On a high level, you can either give admin access to all the resources in your account or a specific list of services.
Permission
Type : string | cdk.IConstruct | [cdk.IConstruct, string] | cdk.aws-iam.PolicyStatement
Allows you to define the permission in a few different ways to control the level of access.
The name of the AWS resource as referenced in an IAM policy.
"s3"
"dynamodb"
...
A CDK construct. Check out the list of supported constructs.
new cdk.aws-sns.Topic(stack, "Topic")
new cdk.aws-dynamodb.Table(stack, "Table")
...
A CDK construct with their specific grant permission method. Many CDK constructs have a method of the format grantX that allows you to grant specific permissions. Pass in the consutrct and grant method as a tuple.
// const topic = new cdk.aws-sns.Topic(stack, "Topic");
// const table = new sst.Table(stack, "Table");
[topic, "grantPublish"]
[table, "grantReadData"]
Or, pass in a policy statement.
new cdk.aws-iam.PolicyStatement({
actions: ["s3:*"],
effect: cdk.aws-iam.Effect.ALLOW,
resources: [
bucket.bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*",
],
})
Supported Constructs
You can grant access to an CDK construct.
fun.attachPermissions([topic, table]);
Currently the following CDK constructs are supported.
- cdk.aws-sns.Topic
- cdk.aws-s3.Bucket
- cdk.aws-sqs.Queue
- cdk.aws-dynamodb.Table
- cdk.aws-kinesis.Stream
- cdk.aws-events.EventBus
- cdk.aws-rds.ServerlessCluster
- cdk.aws-kinesisfirehose-alpha.DeliveryStream
To add to this list, please open a new issue.